New SAP AFX Connector - JavaCodeBased Tutorial

I posted SAP collectors and connectors earlier on RSA Link, and this time I am porting my recent AFX Connector for SAP with extra capabilities(AddAccountToGroup, AddProfile or AddCompositeProfile, Lock/Unlock) and attributes(e.g. email, department) to the JavaCodeBased AFX Connector, which is pretty much aimed at developers as a SDK. However, good thing, once a connector is created with custom Java and jars using the toolkit(available here: https://knowledge.rsasecurity.com/scolcms/set.aspx?id=10689 ) the connector can be exported and imported to a new environment without having to manually recreate it.

My original connector calling similar Java code but using SSH Connector required the use of a properties file, and was also using output files for the SAP Destination provider. I improve on those aspects by pushing the settings and credentials to where it should belong, the Settings tab for the connector, and I eliminated the output file Destination provider, and cleaned up the Java a bit. The original connector can be found here: SAP BAPI/Jco Connector using AFX(SSH + Java)

Let's get started first with a high level overview, then we can dive into the JavaCodeBased tutorial portion. First you will need an instance of L&G that can reach the outside world or your test SAP, and then if you don't have a test SAP environment, you can get one from IDES (see http://idesaccess.com/ ). Then you can import the connector, change the credentials and system info on the Settings page, and then you can start testing the capabilities. Note that not all instances from IDES seem to provide the right permissions through Jco for the service account they provide, you may need to ask for the permissions.

After importing the connector, you need to provide your SAP information and credentials:

Then you can take a look at the capabilities, which you need to create manually if you start with a brand new JavaCodeBased connector:

Now there is a gap with the 7.0 version of JavaCodeBased connector, it only allows for importing jar files, while SAP requires also libsapjco3.so library which is not a jar. The temporary workaround(until a fix or better workaround is identified) is to upload the file manually under the connector, and touch the config file to restart the connector without redeploying it(which would wipe out the file):

Now we can start testing capabilities. Let's start with CreateAccount:

In order to test that CreateAccount worked, you can just try to login to SAP with new account/temporary password. You will be prompted to select a new password:

Then you can test AddAccountToGroup. For this, we will use SU01D:

Then add Profile(AddAppRoleToAccount):

Then add Role to Account:

Then Lock and Unlock Account. We will use SE11 to show USR02 table to confirm that the status is changed on the SAP side:

Then lastly, ResetPassword, for which you can just try to login again with new temporary password:

That's already more capabilities and attributes than the official SAP connector. It is possible to add support for other capabilities and attributes, and one way to figure out what ABAP functions are available and what is the type for each attribute is to 1- Google to find out the name of the BAPI function that does what you want 2- Use SE37 Function Builder to test those functions(see last section below).

Once you know which ABAP you want, you can edit the source code and recompile. Since a jar is just a renamed zip file, you can expand the jar archive and rezip/rename after your changes. When you update the connector, upload the new jar with a different name, then delete the old jar and click OK even if the screen does not come back(seems to be a bug in 7.0). Confirm that your new jar is uploaded in config.

Since I am not a developer, I don't have Eclipse or fancy tools on my desktop, so I just use Notepad to edit the Java source file. Here is a quick tutorial on the way the file works for the SAP capabilities, but you could use this example or the one provided with the toolkit(Oracle) to build a new connector.

First we will create the Java as a package, and then add the needed dependencies(extra ones here, we could clean that up):

import com.sap.conn.jco.ext.DestinationDataEventListener;------------------------------------------------------------Then we need to create a classthatextendsJavaCodeBasedConnectorBase:------------------------------------------------------------

}---------------------------------------------We are basically capturing the settings from the Settings tab of the Connector,8 values, and storing that in a reusable container.We also need a private method that we call in that class:---------------------------------------------

}---------------------------------------------------------------------Then we are down to the Capabilities. First one is CreateAccount. Here is the first portion, almost identical for all capabilities except the list of Parameters is mapped to Connector capabilities parameters:---------------------------------------------------------------------

Note that we perform a test for every capability to check is DestinationDataProvider is already registered. Otherwise if you try a second capability without restarting the connector, you will get a Java error stating that the Destination Data Provider is already registered.

Another approach, similar to the one I used in my previous SSH connector, was to define the connectProperties in first main/first class, but the JavaCodeBased is complaining about a missing sapjco3 library, so it looks like it is performing some extra test when jar is uploaded, and this error was preventing me from uploading the jar. So a little extra code here, and the if condition to prevent the connector from trying to register the Destination multiple times.

Note that the ADDRESS is a structure that contains the attributes(FIRSTNAME, LASTNAME, etc) and that PASSWORD is also a structure with BAPIPWD as an attribute. You can figure out the type of attribute and structure by investigating the BAPI_USER_CREATE function in SE37, best way is in Test mode.

The 2nd portion for DeleteAccount is simpler, and you will find similar examples with Lock and Unlock account:

Usually I just copy my source file to the L&G server and that is where I compile, using the simple script provided in jar archive. I point to /home/oracle/mysap to find the sapjco3.jar and libsapjco3.so at compilation time.

Now if you want to explore and add new capabilities and attributes, here is a quick walkthrough for SE37:

We already noticed that, but this path is wrong on the JavaCodeBased Transport jar that RSA provides on the JavaCodeBased 7.0.2 Template, not only on the Michaels one.

So have we to modify the JavaCodeBased Transport jar? If yes, which are the paths of the jars we need to compile it? Because that was the only thing we wasn't able to find, the jars which owns all the classes mentioned above.

Hi - We are using the JCBC SAP connector on RSA 7.0.0 P05. This was working in an active status,but after moving it into a test status, it started throwing the error - java.lang.ExceptionInInitializerError: JCo initialization failed with java.lang.UnsatisfiedLinkError: no sapjco3 in java.library.path. Can someone advise what could be missing here. The jar files are already in place and no modifications were done on these.Michael BluteauBoris Lekumovich

When you change the state of the connector the system re-deploys the connector.

Michael wrote the following:

Now there is a gap with the 7.0 version of JavaCodeBased connector, it only allows for importing jar files, while SAP requires also libsapjco3.so library which is not a jar. The temporary workaround(until a fix or better workaround is identified) is to upload the file manually under the connector, and touch the config file to restart the connector without redeploying it(which would wipe out the file):